© 2009 osisoft, llc. osisoft vcampus live! | where pi...
TRANSCRIPT
1 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! | where PI geeks meet
2 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Considerations of the new PI Security Model
Bryan S. Owen – OSIsoft Cyber Security Manager
3 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Security Roadmap…
4 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Security Reality Today
• State of denial is over
– Transference of risk is next
…getting more difficult
• Compliance mandates
– Duty to protect the public
…not just assets
• Cost escalation
– 10% of IT budget and growing
…not sustainable, need a better approach
5 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Network is the Battlefield
• Now()
– Practically all critical infrastructure and key resource elements have an IT backbone
– Needs to be available, reliable, and secure
• Tomorrow()
– New initiatives and more dependency on internet
• Cloud Computing
• Energy distribution
• Transportation
1-Watt GPS Jammer
6 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
EPRI IntelliGrid – Real Time Integration
Customer Integration Distribution
automation
Substation
automation
Transmission Ops
WAMAC
PP integration
DER integration
Po
wer
Sys
tem
Res
ou
rces
Rea
l Tim
e
Ap
plic
atio
ns
Co
mm
un
icat
ion
Infr
astr
uct
ure
Dat
a
Man
agem
ent
En
terp
rise
Ap
plic
atio
ns
Power procurement
Market operations
Regional Transmission
Operator
Distribution Control Center External corporations
DER integration
7 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Trust
Application services must trust infrastructure
and
Application services must be trusted
What is the basis for trust?
8 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
• Cyber security is asymmetric warfare
– Defend against all possible attacks, even the unknown
– New defenses are expensive, new attacks are cheap
– Deterrence can’t be measured, but exploits can
A Non-Trivial Challenge
9 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
• Plugging holes faster is not enough – Need to build a proactive stance
– Effectively block attackers • Delay, disrupt and “disincentivize”
• Technical and non-technical means
• Use all available intelligence – Tap security features and resources
• Enable defenses
• Instrument, collect, and analyze logs
– Effective collaboration
Approach
10 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Operational Data Management
BMS
System
IDS/IPS
PI Interfaces
Operations Domain
Firewall
Server
Process Book PI WebParts Systems
Management
ERP Market RTO
PI System
Situational Awareness Integration Applications
Data Management Domain
Router/Switch
AMI Meter
HeadEnd
EMS/
SCADAControl System
WAMS
DER
Enterprise Domain
GIS CISOMSForecast CMMS
11 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Digital Bond – Portaledge
• Project funded by the U.S. Department of Energy
– PI is widely deployed in the energy sector
• Adds capability to detect cyber attacks
– Aggregate and correlate security events in PI
– Uses IT Monitor + PI ACE
• Design, manuals and source online: “Scadapedia”
– Released modules
• Availability – computer, network, system degradation
• Enumeration – port scan, anomalous network traffic
12 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Affect on ISV Solutions
• Accountable
– Verify software supply chain
…minimize on-going risk
• Agile
– Build for security not just compliance
…adapt to emerging threats
• Affordability
– Leverage infrastructure services
…Windows integrated security “WIS”
13 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Windows PI Server
Active Directory
Security Principals
Authentication Identity Mapping
PI Identities
Access Control Lists
Authorization
PI Secure Objects
WIS Overview
14 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
WIS Implementation Benefits
• Enhanced security – Increased control and flexibility – Standards and compliance templates
• Less Maintenance – Stability – Domain accounts
• Better Manageability – System Management Tools (SMT) – Group policy tools
• Lifecycle Support – Backward compatible – Windows 2008 R2 (x64) on Server Core
15 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Authentication – Still the Weakest Link
Source: 2009 Verizon Data Breach Report
0 2 4 6 8 10 12 14 16 18
Cross-Site Scripting
Session Variables
Buffer Overflow
Brute Force
Privilege Escalation
Authentication Bypass
Stolen Credentials
Improper ACLs
SQL Injection
Default or Shared Credentials
Hacking Breach by Type
16 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
WIS Prerequisites
• Client application using PI-SDK 1.3.6
• PI Server 3.4.380
• Domain membership strongly recommended
– Clients, application servers, database servers
– PI Interface nodes remain centric to data source
17 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Mapping Active Directory Groups
• Single Sign On – Windows Security (Kerberos)
– One time mapping for Active Directory Groups
18 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Legacy Methods are Weak
• Security Alert: PI Authentication Weakness
– OSIsoft Technical Support Bulletin
• Eliminate use of PI User passwords in versions prior to WIS (KB Article # KB00304)
– 2009/09/30 C4 SCADA Security Advisory
– US CERT CVE-2009-0209
19 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Installation Warning
20 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Authentication Path
PI
FirewallKerberos
Version&
License
NTLM
Microsoft Active DirectoryDNS
PI Server
Local
Windows
Accounts
Access
Granted
5450
TCP/IP
PI
Identities
YES YES
YES
YESAccess
Denied
SSPI
PI
TRUST
PI
Explicit
Logon
ALLOW
Reverse
NameLookup
Flag
Lookup
Windows
SID
API
Processing
PI3/SDK
API
21 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
PI-SMT Security Settings
22 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
• Policies to Allow and Prioritize Methods
– Windows SSPI
– PI Trust
– Explicit Login
• Granular Scope
– Server
– Client
– Each Identity
Authentication Policy
23 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Group Policy for WIS
• Access this computer from the network – Remove “Everyone” default
• NTLM – Sharing and security model for local accounts
• Change “Guest” to “Classic” (guest is Windows XP default)
– Lan Manager authentication level • Run at level 5 to prevent downgrade attacks
• Kerberos – Configure PI WebParts for SSO using Kerberos
(KB Article # KB00100)
24 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
PI-SDK Programming and WIS
• Server Object “CurrentUser”
– List of PI identities granted for this connection
• New: IServerConnect interface “DisplayUser”
– Normally represents the Windows user
• Unimplemented methods are documented
– Is programmatic access to WIS configuration needed?
– Is Piconfig enough?
25 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Authentication Summary
• Domain Membership
– Strongly Recommended
– Clients and Servers
• Manage Users and Groups
– Centrally in Windows
– One time association in PI
• Explicit Login and Trust
– You have control
26 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Control System Domain
DMZ
Business User Domain
PI Interface Node or
OEM with PI-to-PI
Access Point
PI Server
Desktops and Data Access
Servers
Basic Deployment Pattern
Data Only Conduit
Originator
Time Series Data
Application Data
27 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Control System Domain
DMZ
Business User Domain
PI Interface Node
PI Server (HA)
Access Point
PI Server (HA)
Desktops and Data Access
Servers
Protected User Domain
High Availability Deployment Pattern
Data Only Conduit
Configuration Data
Time Series Data
Application Data
28 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Control System Domain
DMZ
Business User Domain
PI Interface Node
PI Server
Access Point
PI-to-PI PI Server
Protected User Domain
PI to PI Deployment Pattern
Originator
Time Series Data
29 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
What else in PI 3.4.380?
• PI Network Manager
– Stability and hardened stack
– Performance
– Enhanced SMT plug-in
• Message Log Subsystem
– Filter by severity
• Critical, Error, Warning, Informational, Debug
• Audit Trail
– Windows user preserved
30 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Backup Enhancements
• Backup
– Performs incremental backup
– Checks integrity
– Maintains “Last Known Good”
– New SMT plug-in
• On demand copy backup
• Viewing backup history
31 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Certification and Security
• Windows Server 2008 R2 ‘Certified’ program
– Goal: increase quality of applications
– More compatible, reliable, secure
• A few of the security requirements
– Instrument for User Account Control (UAC)
– SSPI authentication must use secure default
– Digitally sign all executables
– Must not relax default security settings
• Document exceptions: AntiVirus, Firewall
32 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Our Commitment to You
• Ongoing focus of Security Development Lifecycle – Help you with Best Practices
• Reduce effort and improve usability
– Eliminate Weakest Code
• Cumulative QA effort with every release
– Collaborate with Security Experts
• Industry, Government, Academia, Partners, Customers
33 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
When will you Upgrade?
0%
10%
20%
30%
40%
50%
60%
70%
80%
0 50 100 150 200 250 300 350
% U
pgr
ade
d
PI Network Manager Security Patch 18175OSI8 – (Days)
34 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet
Being Secure Is…
• More than regulations and features
– Technology can help
• A state of mind, knowing
– Your systems
– What to do
– Who you trust
– OSIsoft wants to earn your trust
35 © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! 2009 | where PI geeks meet © 2009 OSIsoft, LLC. | OSIsoft vCampus Live! | where PI geeks meet
Palace Hotel, San Francisco, CA • Dec 1 - 2, 2009